Avast WEBforum
Other => Viruses and worms => Topic started by: ellroy2 on September 25, 2013, 07:54:06 AM
-
Hello,
Avast keeps showing Win32:Sirefef-BTT & Win32:Malware-gen on the popup. I also can't download files or programs from online. When I go to run, after the security scan, it says that the file had a virus and was deleted. I see someone had a similar problem a couple days ago and someone was able to help fix the problem. It looks like I will have to download FRST to a flash drive from another computer. I will do that in the morning, but then I am lost after that. So any help would be great. Thanks.
-
If you can not take over from their, download it from another computer and do the following:
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
-
Here are the files after running the FRST scan. Before the scan was ran, I ran a Boot Scan from Avast and all infected files were moved to the Chest. I will await further instruction before I do anything else. Thank you.
-
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{eb645553-8e9b-ee5d-3bf3-4ec05a1d6bec}\ \...\???\{eb645553-8e9b-ee5d-3bf3-4ec05a1d6bec}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Program Files (x86)\Google\Desktop\Install\{eb645553-8e9b-ee5d-3bf3-4ec05a1d6bec}\ \...\???\{eb645553-8e9b-ee5d-3bf3-4ec05a1d6bec}\GoogleUpdate.exe
ZeroAccess:
C:\Users\Elliott\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
****** Next *******
- Please download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
You may read how Combofix works here. (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
- Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
- When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
-
Ran combofix as instructed. Computer restarted then combofix screen came up saying "preparing log report. Do not run any programs until combofix has finished.". However, it has been stuck at this screen for over 10 minutes. I have no opened any programs. Is this normal?
-
Remove icon combofix with your desktop and download new CF and rerun Combofix.
-
It finally produced the log after about 20min. See attached....
-
OK, rerun FRST and attach here logs.
Please download Farbar Service Scanner (http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/) and run it on the computer with the issue.- Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center/Action Center
- Windows Update
- Windows Defender
- Press "Scan".
- It will create a log (FSS.txt) in the same directory the tool is run.
- Please copy and paste the log to your reply.
-
FRST re-scan and FSS scan logs....
-
How's your computer behaving now?
-
Well it lets me download stuff from online now, so that is really good. Haven't had any threat blocks pop ups from Avast yet either.
-
Very good, I do not see anything suspicious :)
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
-
Done. If that is everything, then THANKS a million!
-
Regards.
-
How's your computer behaving now?
argus, i am not one of the "experts" who help people, but i noticed something in the last FRST log that ellroy posted:
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
there might be some other issues...
-
ellroy, the reason that your computer got infected with malware is because you have a VERY old, out-dated version of "java" installed on it.. you need to uninstall all of the old versions of "java" that are installed on your computer..
exploit-kits take advantage of vulnerabilities in "java" in order to install malware on your computer.. with an old version of java installed, your computer is at an EXTREMELY high risk of being infected with malware..
it is better to not have "java" installed, but, if you absolutely have to have it installed, you need to keep it up-to-date.. also, be sure to uninstall the old versions..
-
How's your computer behaving now?
argus, i am not one of the "experts" who help people, but i noticed something in the last FRST log that ellroy posted:
Winsock: Catalog5 01 %SystemRoot%\System32\mswsock.dll [232448] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 %SystemRoot%\System32\mswsock.dll [326144] (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
there might be some other issues...
You do not have to worry about that.
-
Visiting Secunia Online Software Inspector ...
Free Online Computer Scan - Online Software Inspector (OSI) - Secunia
http://secunia.com/vulnerability_scanning/online/
Click 'Start Scanner'
Wait for Status/Currently Processing: at the lower left to say 'Java Applet loaded successfully. (allow java to run) Press "Start" to begin.'
Click 'Start'.
The scan should take less than a minute or so.
When done, download and install all the recommended updates.
-
Please download Services Repair tool, available here, and save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe
-
Ok, I will do that. A couple weeks ago I had to take this computer back to factory settings because I had some sort of Windows boot issue that would not allow the system to boot(not even in safe mode) and would not do a system repair or restore. I suspect that there was a possible issue with AVG(which I was using at the time) that caused this, but not sure. So that is probably the reason why my Java is out of date.
-
ellroy2 do not have to worry, malware is gone and those entries only FRST reports.
LSP chain is edited ComboFix.
-
Thanks again!